Understanding Legacy Data Structures

This appendix contains information about data structures supported by eStreamer in previous versions of FireSIGHT System products.

If your client uses event stream requests with bits set to request data in older version formats, you can use the information in this appendix to identify the data structures of the data messages you receive.

Note that prior to version 5.0, separate detection engines were assigned IDs. For version 5.0, devices are assigned IDs. Based on the version, data structures reflect this.

Note This appendix describes only data structures from version 4.9 or later of the FireSIGHT System. If you require documentation for structures from earlier data structure versions, contact Cisco Customer Support.

For version 5.0.x - 5.1 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Header Version (1)

Message Type (4)

Message Length

Record Type (207)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IPv4 Address

Destination IPv4 Address

Source Port

Destination Port

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

Policy UUID, continued

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Interface Egress UUID, continued

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

The following table describes each intrusion event record data field.

Table B-1 Intrusion Event (IPv4) Record Fields

Field

Data Type

Description

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the FireSIGHT System preprocessor that generated the event.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

gray (0, unknown): 00X00000

red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX

orange (2, potentially vulnerable): 00X00111

yellow (3, currently not vulnerable): 00X00011

blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

1 - Red (vulnerable)

2 - Orange (potentially vulnerable)

3 - Yellow (currently not vulnerable)

4 - Blue (unknown target)

5 - Gray (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked:

0 - not blocked

1 - blocked

2 - would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event (IPv6) Record 5.0.x - 5.1

The fields in the intrusion event (IPv6) record are shaded in the following graphic. The record type is 208.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

gray (0, unknown): 00X00000

red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX

orange (2, potentially vulnerable): 00X00111

yellow (3, currently not vulnerable): 00X00011

blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

1 - Red (vulnerable)

2 - Orange (potentially vulnerable)

3 - Yellow (currently not vulnerable)

4 - Blue (unknown target)

5 - Gray (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked:

0 - not blocked

1 - blocked

2 - would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label. (Applies to 4.9+ events only.)

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated. (Applies to 4.9+ events only.)

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Intrusion Event Record 5.2.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 34 in the series 2 set of data blocks.

You can request 5.2.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 5 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.2.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Header Version (1)

Message Type (4)

Message Length

Record Type (400)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Block Type (34)

Block Length

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Source Port or ICMP Type

Destination Port or ICMP Code

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

Policy UUID, continued

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Interface Egress UUID, continued

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Connection Timestamp

Connection Instance ID

Connection Counter

Source Country

Destination Country

The following table describes each intrusion event record data field.

Table B-3 Intrusion Event Record 5.2.x Fields

Field

Data Type

Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 34.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the FireSIGHT System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Intrusion Event Record 5.3

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 41 in the series 2 set of data blocks.

You can request 5.3 intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 6 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.3 intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Header Version (1)

Message Type (4)

Message Length

Record Type (400)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Block Type (41)

Block Length

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Source Port or ICMP Type

Destination Port or ICMP Code

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

Policy UUID, continued

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Interface Egress UUID, continued

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Connection Timestamp

Connection Instance ID

Connection Counter

Source Country

Destination Country

IOC Number

The following table describes each intrusion event record data field.

Table B-4 Intrusion Event Record 5.3 Fields

Field

Data Type

Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 34.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the FireSIGHT System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port or ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port or ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

IOC Number

uint16

ID Number of the compromise associated with this event.

Intrusion Event Record 5.1.1.x

The fields in the intrusion event record are shaded in the following graphic. The record type is 400 and the block type is 25.

You can request 5.1.1.x intrusion events from eStreamer only by extended request, for which you request event type code 12 and version code 4 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests).

For version 5.1.1.x intrusion events, the event ID, the managed device ID, and the event second form a unique identifier. The connection second, connection instance, and connection counter together form a unique identifier for the connection event associated with the intrusion event.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Header Version (1)

Message Type (4)

Message Length

Record Type (400)

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Block Type (25)

Block Length

Device ID

Event ID

Event Second

Event Microsecond

Rule ID (Signature ID)

Generator ID

Rule Revision

Classification ID

Priority ID

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Source Port/ICMP Type

Destination Port/ICMP Code

IP Protocol ID

Impact Flags

Impact

Blocked

MPLS Label

VLAN ID

Pad

Policy UUID

Policy UUID, continued

Policy UUID, continued

Policy UUID, continued

User ID

Web Application ID

Client Application ID

Application Protocol ID

Access Control Rule ID

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Interface Ingress UUID

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Ingress UUID, continued

Interface Egress UUID

Interface Egress UUID, continued

Interface Egress UUID, continued

Interface Egress UUID, continued

Security Zone Ingress UUID

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Ingress UUID, continued

Security Zone Egress UUID

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Security Zone Egress UUID, continued

Connection Timestamp

Connection Instance ID

Connection Counter

The following table describes each intrusion event record data field.

Table B-5 Intrusion Event Record 5.1.1 Fields

Field

Data Type

Description

Block Type

unint32

Initiates an Intrusion Event data block. This value is always 25.

Block Length

unint32

Total number of bytes in the Intrusion Event data block, including eight bytes for the Intrusion Event block type and length fields, plus the number of bytes of data that follows.

Device ID

unit32

Contains the identification number of the detecting managed device. You can obtain the managed device name by requesting Version 3 or 4 metadata. See Managed Device Record Metadata for more information.

Event ID

uint32

Event identification number.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) of the event’s detection.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment of the timestamp of the event’s detection.

Rule ID (Signature ID)

uint32

Rule identification number that corresponds with the event.

Generator ID

uint32

Identification number of the FireSIGHT System preprocessor that generated the event.

Rule Revision

uint32

Rule revision number.

Classification ID

uint32

Identification number of the event classification message.

Priority ID

uint32

Identification number of the priority associated with the event.

Source IP Address

uint8[16]

Source IPv4 or IPv6 address used in the event.

Destination IP Address

uint8[16]

Destination IPv4 or IPv6 address used in the event.

Source Port/ICMP Type

uint16

The source port number if the event protocol type is TCP or UDP, or the ICMP type if the event is caused by ICMP traffic.

Destination Port/ICMP Code

uint16

The destination port number if the event protocol type is TCP or UDP, or the ICMP code if the event is caused by ICMP traffic.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

gray (0, unknown): 00X00000

red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX

orange (2, potentially vulnerable): 00X00111

yellow (3, currently not vulnerable): 00X00011

blue (4, unknown target): 00X00001

Impact

uint8

Impact flag value of the event. Values are:

1 - Red (vulnerable)

2 - Orange (potentially vulnerable)

3 - Yellow (currently not vulnerable)

4 - Blue (unknown target)

5 - Gray (unknown impact)

Blocked

uint8

Value indicating whether the event was blocked:

0 - not blocked

1 - blocked

2 - would be blocked (but not permitted by configuration)

MPLS Label

uint32

MPLS label.

VLAN ID

uint16

Indicates the ID of the VLAN where the packet originated.

Pad

uint16

Reserved for future use.

Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the intrusion policy.

User ID

uint32

The internal identification number for the user, if applicable.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

Application Protocol ID

uint32

The internal identification number for the application protocol, if applicable.

Access Control Rule ID

uint32

A rule ID number that acts as a unique identifier for the access control rule.

Access Control Policy UUID

uint8[16]

A policy ID number that acts as a unique identifier for the access control policy.

Ingress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the ingress interface.

Egress Interface UUID

uint8[16]

An interface ID number that acts as a unique identifier for the egress interface.

Ingress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the ingress security zone.

Egress Security Zone UUID

uint8[16]

A zone ID number that acts as a unique identifier for the egress security zone.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the connection event associated with the intrusion event.

Connection Instance ID

uint16

Numerical ID of the Snort instance on the managed device that generated the connection event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Intrusion Impact Alert Data

The Intrusion Impact Alert event contains information about impact events. It is transmitted when an intrusion event is compared to the system network map data and the impact is determined. It uses the standard record header with a record type of 9, followed by an Intrusion Impact Alert data block with a data block type of 20 in the series 1 group of blocks. (The Impact Alert data block is a type of series 1 data block. For more information about series 1 data blocks, see Understanding Discovery (Series 1) Blocks.)

You can request that eStreamer only transmit intrusion impact events by setting bit 5 in the Flags field of the request message. See Event Stream Request Message Format for more information about request messages. Version 1 of these alerts only handles IPv4. Version 2, introduced in 5.3, handles IPv6 events in addition to IPv4.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red. The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event. (version 5.0+ only)

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1 :

Legacy Malware Event Data Structures

Malware Event Data Block 5.1

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 16 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 1 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Malware Event Block Type (16)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Agent UUID, continued

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Cloud UUID, continued

Cloud UUID, continued

Timestamp

Event Type ID

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

The following table describes the fields in the malware event data block.

Table B-7 Malware Event Data Block Fields

Field

Data Type

Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 16.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the FireAMP agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Host IP Address

uint32

The host IP address associated with the malware event.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Malware Event Data Block 5.1.1.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 24 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 2 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Malware Event Block Type (24)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Agent UUID, continued

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Cloud UUID, continued

Cloud UUID, continued

Malware Event Timestamp

Event Type ID

Event Subtype ID

Host IP Address

Detection Name

Host IP Address, cont.

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

File Timestamp, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

Device ID

Connection Instance

Connection Counter

Connection Event Timestamp

Direction

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Source IP, cont.

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Destination IP, cont

Application ID

App. ID, cont.

User ID

User ID, cont.

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

Source Port

Destination Port

The following table describes the fields in the malware event data block.

Table B-8 Malware Event Data Block for 5.1.1.x Fields

Field

Data Type

Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 24.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the FireAMP agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Host IP Address

uint32

The host IP address associated with the malware event.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

1 - Download

2 - Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

1 - CLEAN - The file is clean and does not contain malware.

2 - UNKNOWN - It is unknown whether the file contains malware.

3 - MALWARE - The file contains malware.

4 - CACHE_MISS - The software was unable to send a request to the Cisco cloud for a disposition.

5 - NO_CLOUD_RESP - The Cisco cloud services did not respond to the request.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Malware Event Data Block 5.2.x

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 33 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 3 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Malware Event Block Type (33)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Agent UUID, continued

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Cloud UUID, continued

Cloud UUID, continued

Malware Event Timestamp

Event Type ID

Detection Name

Event Subtype ID

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

Device ID

Connection Instance

Connection Counter

Connection Event Timestamp

Direction

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Source IP, cont.

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Destination IP, cont

Application ID

App. ID, cont.

User ID

User ID, cont.

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

Source Port

Destination Port

Source Country

Destination Country

Web Application ID

Client Application ID

Action

Protocol

The following table describes the fields in the malware event data block.

Table B-9 Malware Event Data Block for 5.2.x Fields

Field

Data Type

Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 33.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the FireAMP agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint8

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

1 - Download

2 - Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

1 - CLEAN - The file is clean and does not contain malware.

2 - NEUTRAL - It is unknown whether the file contains malware.

3 - MALWARE - The file contains malware.

4 - CACHE_MISS - The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

1 - Detect

2 - Block

3 - Malware Cloud Lookup

4 - Malware Block

5 - Malware Whitelist

Protocol

uint8

IANA protocol number specified by the user. For example:

1 - ICMP

4 - IP

6 - TCP

17 - UDP

This is currently only TCP.

Malware Event Data Block 5.3

The eStreamer service uses the malware event data block to store information on malware events. These events contain information on malware detected or quarantined within a cloud, the detection method, and hosts and users affected by the malware. The malware event data block has a block type of 35 in the series 2 group of blocks. You request the event as part of the malware event record by setting the malware event flag—bit 30 in the request flags field—in the request message with an event version of 4 and an event code of 101.

The following graphic shows the structure of the malware event data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Malware Event Block Type (35)

Malware Event Block Length

Agent UUID

Agent UUID, continued

Agent UUID, continued

Agent UUID, continued

Cloud UUID

Cloud UUID, continued

Cloud UUID, continued

Cloud UUID, continued

Malware Event Timestamp

Event Type ID

Event Subtype ID

Detection Name

Detector ID

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

Detection Name...

User

String Block Type (0)

String Block Length

User...

File Name

String Block Type (0)

String Block Length

File Name...

File Path

String Block Type (0)

String Block Length

File Path...

File SHA

Hash

String Block Type (0)

String Block Length

File SHA Hash...

File Size

File Type

File Timestamp

Parent File

Name

String Block Type (0)

String Block Length

Parent File Name...

Parent File

SHA Hash

String Block Type (0)

String Block Length

Parent File SHA Hash...

Event

Description

String Block Type (0)

String Block Length

Event Description...

Device ID

Connection Instance

Connection Counter

Connection Event Timestamp

Direction

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Source IP, cont.

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Destination IP, cont

Application ID

App. ID, cont.

User ID

User ID, cont.

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

URI

AC Pol UUID, cont.

Disposition

Retro. Disposition

Str. Block Type (0)

String Block Type (0), continued

String Block Length

String Block Length, continued

URI...

Source Port

Destination Port

Source Country

Destination Country

Web Application ID

Client Application ID

Action

Protocol

Threat Score

IOC Number

IOC Number, cont.

The following table describes the fields in the malware event data block.

Table B-10 Malware Event Data Block for 5.3 Fields

Field

Data Type

Description

Malware Event Block Type

uint32

Initiates a malware event data block. This value is always 35.

Malware Event Block Length

uint32

Total number of bytes in the malware event data block, including eight bytes for the malware event block type and length fields, plus the number of bytes of data that follows.

Agent UUID

uint8[16]

The internal unique ID of the FireAMP agent reporting the malware event.

Cloud UUID

uint8[16]

The internal unique ID of the malware awareness network from which the malware event originated.

Malware Event Timestamp

uint32

The malware event generation timestamp.

Event Type ID

uint32

The internal ID of the malware event type.

Event Subtype ID

uint32

The internal ID of the action that led to malware detection.

Detector ID

uint8

The internal ID of the detection technology that detected the malware.

The number of bytes included in the Event Description String data block, including eight bytes for the block type and header fields plus the number of bytes in the Event Description field.

Event Description

string

The additional event information associated with the event type.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or IDS event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Event Timestamp

uint32

Timestamp of the connection event.

Direction

uint8

Indicates whether the file was uploaded or downloaded. Can have the following values:

1 - Download

2 - Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Access Control Policy UUID

uint8[16]

Identification number that acts as a unique identifier for the access control policy that triggered the event.

Disposition

uint8

The malware status of the file. Possible values include:

1 - CLEAN The file is clean and does not contain malware.

2 - UNKNOWN It is unknown whether the file contains malware.

3 - MALWARE The file contains malware.

4 - UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.

5 - CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

Retrospective Disposition

uint8

Disposition of the file if the disposition is updated. If the disposition is not updated, this field contains the same value as the Disposition field. The possible values are the same as the Disposition field.

String Block Type

uint32

Initiates a String data block containing the URI. This value is always 0.

String Block Length

uint32

The number of bytes included in the URI data block, including eight bytes for the block type and header fields plus the number of bytes in the URI field.

URI

string

URI of the connection.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint 16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number of the detected web application, if applicable.

Client Application ID

uint32

The internal identification number of the detected client application, if applicable.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

1 - Detect

2 - Block

3 - Malware Cloud Lookup

4 - Malware Block

5 - Malware Whitelist

Protocol

uint8

IANA protocol number specified by the user. For example:

1 - ICMP

4 - IP

6 - TCP

17 - UDP

This is currently only TCP.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

Legacy Discovery Event Header

Discovery Event Header 5.0 - 5.1.1.x

Discovery and connection event messages contain a discovery event header. It conveys the type and subtype of the event, the time the event occurred, the device on which the event occurred, and the structure of the event data in the message. This header is followed by the actual host discovery, user, or connection event data. The structures associated with the different event type/subtype values are described in Host Discovery Structures by Event Type.

The event type and event subtype fields of the discovery event header identify the structure of the transmitted event message. After the structure of the event data block is determined, your program can parse the message appropriately.

The shaded rows in the following diagram illustrate the format of the discovery event header.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Header Version (1)

Message Type (4)

Message Length

Record Type

Record Length

eStreamer Server Timestamp (in events, only if bit 23 is set)

Reserved for Future Use (in events, only if bit 23 is set)

Discovery Event Header

Device ID

IP Address

MAC Address

MAC Address, continued

Reserved for future use

Event Second

Event Microsecond

Reserved (Internal)

Event Type

Event Subtype

File Number (Internal Use Only)

File Position (Internal Use Only)

The following table describes the discovery event header.

Table B-11 Discovery Event Header Fields

Field

Data Types

Description

Device ID

uint32

ID number of the device that generated the discovery event. You can obtain the metadata for the device by requesting Version 3 and 4 metadata. See Managed Device Record Metadata for more information.

IP Address

uint32

IP address of the host involved in the event.

MAC Address

uint8[6]

MAC address of the host involved in the event.

Reserved for future use

byte[2]

Two bytes of padding with values set to 0.

Event Second

uint32

UNIX timestamp (seconds since 01/01/1970) that the system generated the event.

Event Microsecond

uint32

Microsecond (one millionth of a second) increment that the system generated the event.

Reserved (Internal)

byte

Internal data from Cisco and can be disregarded.

Event Type

uint32

Event type ( 1000 for new events, 1001 for change events, 1002 for user input events, 1050 for full host profile). See Host Discovery Structures by Event Type for a list of available event types.

Legacy Client Application Data Blocks

User Client Application Data Block for 5.0 - 5.1

The User Client Application data block contains information about the source of the client application data, the identification number for the user who added the data, and the lists of IP address range data blocks. The User Client Application data block has a block type of 59.

The following diagram shows the basic structure of a User Client Application data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

User Client Application Block Type (59)

User Client Application Block Length

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

Application Protocol ID

Client Application ID

Version

String Block Type (0)

String Block Length

Version...

The following table describes the fields of the User Client Application data block.

Total number of bytes in the User Client Application data block, including eight bytes for the user client application block type and length fields, plus the number of bytes of user client application data that follows.

Number of bytes in the list. This number includes the eight bytes of the list block type and length fields, plus all encapsulated Scan Vulnerability data blocks.

This field is followed by zero or more Scan Vulnerability data blocks.

Scan Vulnerability Block Type

uint32

Initiates a Scan Vulnerability data block describing a vulnerability detected during a scan. This value is always 109.

Scan Vulnerability Block Length

uint32

Number of bytes in the Scan Vulnerability data block, including eight bytes for the scan vulnerability block type and length fields, plus the number of bytes in the scan vulnerability data that follows.

User Product Data Block for 5.0.x

The User Product data block conveys host input data imported from a third party application, including third party application string mappings. This data block is used in Scan Result Data Block 5.2+. The User Product data block has a block type of 65 for 4.10.x, and a block type of 118 for 5.0 - 5.0.x. The block types have the same structure.

Note An asterisk(*) next to a data block name in the following diagram indicates that multiple instances of the data block may occur.

The following diagram shows the format of the User Product data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

User Product Data Block Type (65 | 118)

User Product Block Length

Source ID

Source Type

IP Address

Ranges

Generic List Block Type (31)

Generic List Block Length

IP Range Specification Data Blocks*

Port

Protocol

Drop User Product

Custom

Vendor String

String Block Type (0)

String Block Length

Custom Vendor String...

Custom

Product String

String Block Type (0)

String Block Length

Custom Product String...

Custom

Version String

String Block Type (0)

String Block Length

Custom Version String...

Software ID

Server ID

Vendor ID

Product ID

Major Version

String

String Block Type (0)

String Block Length

Major Version String...

Minor Version

String

String Block Type (0)

String Block Length

Minor Version String...

Revision

String

String Block Type (0)

String Block Length

Revision String...

To Major

String

String Block Type (0)

String Block Length

To Major Version String...

To Minor

String

String Block Type (0)

String Block Length

To Minor Version String...

To Revision

String

String Block Type (0)

String Block Length

To Revision String...

Build String

String Block Type (0)

String Block Length

Build String...

Patch String

String Block Type (0)

String Block Length

Patch String...

Extension

String

String Block Type (0)

String Block Length

Extension String...

OS UUID

Operating System UUID

Operating System UUID cont.

Operating System UUID cont.

Operating System UUID cont.

List of Fixes

Generic List Block Type (31)

Generic List Block Length

Fix List Data Blocks*

The following table describes the components of the User Product data block.

Table B-15 User Product Data Block Fields for 4.10.x, 5.0-5.0.x

Field

Data Type

Description

User Product Data Block Type

uint32

Initiates a User Product data block. This value is 65 for version 4.10.x and 118 for version 5.0 - 5.0.x.

User Product Block Length

uint32

Total number of bytes in the User Product data block, including eight bytes for the user product block type and length fields, plus the number of bytes in the user product data that follows.

Number of bytes in the Generic List data block, including the list header and all encapsulated IP Range Specification data blocks.

IP Range Specification Data Blocks *

variable

IP Range Specification data blocks containing information about the IP address ranges for the user input. See IP Address Range Data Block for 5.2+ for a description of this data block.

Port

uint16

Port specified by the user.

Protocol

uint16

IANA protocol number specified by the user. For example:

1 - ICMP

4 - IP

6 - TCP

17 - UDP

Drop User Product

uint32

Indicates whether the user OS definition was deleted from the host:

0 - No

1 - Yes

String Block Type

uint32

Initiates a String data block containing the custom vendor name specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom vendor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the vendor name.

Custom Vendor Name

string

The custom vendor name specified in the user input.

String Block Type

uint32

Initiates a String data block containing the custom product name specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom product String data block, including eight bytes for the block type and length fields, plus the number of bytes in the product name.

Custom Product Name

string

The custom product name specified in the user input.

String Block Type

uint32

Initiates a String data block containing the custom version specified in the user input. This value is always 0.

String Block Length

uint32

Number of bytes in the custom version String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Custom Version

string

The custom version specified in the user input.

Software ID

uint32

The identifier for a specific revision of a server or operating system in the Cisco database.

Server ID

uint32

The Cisco application identifier for the application protocol on the host server specified in user input.

Vendor ID

uint32

The identifier for the vendor of a third party operating system specified when the third party operating system is mapped to a Cisco 3D operating system definition.

Product ID

uint32

The product identification string of a third party operating system string specified when the third party operating system string is mapped to a Cisco 3D operating system definition.

String Block Type

uint32

Initiates a String data block containing the major version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Major Version

string

Major version of the Cisco 3D operating system definition that a third party operating system string is mapped to.

String Block Type

uint32

Initiates a String data block containing the minor version number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

Minor Version

string

Minor version number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the revision number of the Cisco operating system definition that a third party operating system string in the user input is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.

Revision

string

Revision number of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the last major version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Major String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

To Major

string

Last version number in a range of major version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the last minor version of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Minor String data block, including eight bytes for the block type and length fields, plus the number of bytes in the version.

To Minor

string

Last version number in a range of minor version numbers of the Cisco 3D operating system definition that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the Last revision number of the Cisco 3D operating system definition that a third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the To Revision String data block, including eight bytes for the block type and length fields, plus the number of bytes in the revision number.

To Revision

string

Last revision number in a range of revision numbers of the Cisco 3D operating system definitions that a third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the build number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always 0.

String Block Length

uint32

Number of bytes in the build String data block, including eight bytes for the block type and length fields, plus the number of bytes in the build number.

Build

string

Build number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the patch number of the Cisco 3D operating system that the third party operating system string is mapped to. This value is always 0.

String Block Length

uint32

Number of bytes in the patch String data block, including eight bytes for the block type and length fields, plus the number of bytes in the patch number.

Patch

string

Patch number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

String Block Type

uint32

Initiates a String data block containing the extension number of the Cisco 3D operating system that the third party operating system string is mapped. This value is always 0.

String Block Length

uint32

Number of bytes in the extension String data block, including eight bytes for the block type and length fields, plus the number of bytes in the extension number.

Extension

string

Extension number of the Cisco 3D operating system that the third party operating system string in the user input is mapped to.

Legacy User Login Data Blocks

User Login Information Data Block for 5.0 - 5.0.2

The User Login Information data block is used in User Information Update messages and conveys changes in login information for a detected user. For more information, see User Information Update Message Block.

The User Login Information data block has a block type of 121 for version 5.0 - 5.0.2.

The graphic below shows the format of the User Login Information data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

User Login Information Block Type (121)

User Login Information Block Length

Timestamp

IP Address

User

Name

String Block Type (0)

String Block Length

User Name...

User ID

Application ID

Email

String Block Type (0)

String Block Length

Email...

The following table describes the components of the User Login Information data block.

Table B-16 User Login Information Data Block Fields 5.0 - 5.0.2

Field

Data Type

Description

User Login Information Block Type

uint32

Initiates a User Login Information data block. This value is 121 for version 5.0 - 5.0.2.

User Login Information Block Length

uint32

Total number of bytes in the User Login Information data block, including eight bytes for the user login information block type and length fields, plus the number of bytes in the user login information data that follows.

Timestamp

uint32

Timestamp of the event.

IP Address

uint8[4]

IP address from the host where the user was detected logging in, in IP address octets.

String Block Type

uint32

Initiates a String data block containing the username for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the username String data block, including eight bytes for the block type and length fields, plus the number of bytes in the username.

Username

string

The user name for the user.

User ID

uint32

Identification number of the user.

Application ID

uint32

The application ID for the application protocol used in the connection that the login information was derived from.

String Block Type

uint32

Initiates a String data block containing the email address for the user. This value is always 0.

String Block Length

uint32

Number of bytes in the email address String data block, including eight bytes for the block type and length fields, plus the number of bytes in the email address.

Email

string

The email address for the user.

Legacy Host Profile Data Blocks

Host Profile Data Block for 5.0 - 5.0.2

The following diagram shows the format of a Host Profile data block in versions 5.0 to 5.0.2. The Host Profile data block also does not include a host criticality value, but does include a VLAN presence indicator. In addition, a Host Profile data block can convey a NetBIOS name for the host. This Host Profile data block has a block type of 91.

Note An asterisk(*) next to a block type field in the following diagram indicates the message may contain zero or more instances of the series 1 data block.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Host Profile Block Type (91)

Host Profile Block Length

IP Address

Server

Fingerprints

Hops

Primary/Secondary

Generic List Block Type (31)

Generic List Block Type, continued

Generic List Block Length

Generic List Block Length, continued

Server Fingerprint Data Blocks*

Client

Fingerprints

Generic List Block Type (31)

Generic List Block Length

Client Fingerprint Data Blocks*

SMB

Fingerprints

Generic List Block Type (31)

Generic List Block Length

SMB Fingerprint Data Blocks*

DHCP

Fingerprints

Generic List Block Type (31)

Generic List Block Length

DHCP Fingerprint Data Blocks*

List Block Type (11)

List of TCP Servers

List Block Length

TCP Server Block*

Server Block Type (36)

Server Block Length

TCP Server Data...

List Block Type (11)

List of UDP Servers

List Block Length

UDP Server Block*

Server Block Type (36)*

Server Block Length

UDP Server Data...

List Block Type (11)

List of Network Protocols

List Block Length

Network Protocol Block*

Protocol Block Type (4)*

Protocol Block Length

Network Protocol Data...

List Block Type (11)

List of Transport Protocols

List Block Length

Transport Protocol Block*

Protocol Block Type (4)*

Protocol Block Length

Transport Protocol Data...

List Block Type (11)

List of MAC Addresses

List Block Length

MAC Address Block*

MAC Address Block Type (95)*

MAC Address Block Length

MAC Address Data...

Host Last Seen

Host Type

VLAN Presence

VLAN ID

VLAN Type

VLAN Priority

Generic List Block Type (31)

List of Client Applications

Generic List Block Type, continued

Generic List Block Length

Client App Data

Generic List Block Length, continued

Client Application Block Type (112)*

Client App Block Type (29)*, con’t

Client Application Block Length

Client Application Block Length, con’t

Client Application Data...

NetBIOS Name

String Block Type (0)

String Block Length

NetBIOS String Data...

The following table describes the fields of the host profile data block returned by version 4.9 to version 5.0.2.

Table B-17 Host Profile Data Block for 5.0 - 5.0.2 Fields

Field

Data Type

Description

Host Profile Block Type

uint32

Initiates the Host Profile data block for 4.9 to 5.0.2. This data block has a block type of 91.

Host Profile Block Length

uint32

Number of bytes in the Host Profile data block, including eight bytes for the host profile block type and length fields, plus the number of bytes included in the host profile data that follows.

IP Address

uint8[4]

IP address of the host described in the profile, in IP address octets.

Hops

uint8

Number of hops from the host to the device.

Primary/ Secondary

uint8

Indicates whether the host is in the primary or secondary network of the device that detected it:

Legacy OS Fingerprint Data Blocks

Operating System Fingerprint Data Block for 5.0 - 5.0.2

The Operating System Fingerprint data block has a block type of 87. The block includes a fingerprint Universally Unique Identifier (UUID), as well as the fingerprint type, the fingerprint source type, and the fingerprint source ID. The following diagram shows the format of an Operating System Fingerprint data block for version 5.0 to version 5.0.2.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Operating System Fingerprint Block Type (87)

Operating System Fingerprint Block Length

OS Fingerprint

UUID

Fingerprint UUID

Fingerprint UUID, continued

Fingerprint UUID, continued

Fingerprint UUID, continued

Fingerprint Type

Fingerprint Source Type

Fingerprint Source ID

Last Seen Value for Fingerprint

TTL Difference

The following table describes the fields of the operating system fingerprint data block.

Table B-18 Operating System Fingerprint Data Block Fields

Field

Data Type

Description

Operating System Fingerprint Data Block Type

uint32

Initiates the operating system data block. This value is always 87.

Operating System Data Block Length

uint32

Number of bytes in the Operating System Fingerprint data block. This value should always be 41 : eight bytes for the data block type and length fields, sixteen bytes for the fingerprint UUID value, four bytes for the fingerprint type, four bytes for the fingerprint source type, four bytes for the fingerprint source ID, four bytes for the last seen value, and one byte for the TTL difference.

Fingerprint UUID

uint8[16]

Fingerprint identification number, in octets, that acts as a unique identifier for the operating system. The fingerprint UUID maps to the operating system name, vendor, and version in the vulnerability database (VDB).

Fingerprint Type

uint32

Indicates the type of fingerprint.

Fingerprint Source Type

uint32

Indicates the type (i.e., user or scanner) of the source that supplied the operating system fingerprint.

Fingerprint Source ID

uint32

Indicates the ID of the source that supplied the operating system fingerprint.

Last Seen

uint32

Indicates when the fingerprint was last seen in traffic.

TTL Difference

uint8

Indicates the difference between the TTL value in the fingerprint and the TTL value seen in the packet used to fingerprint the host.

Initiates a String data block for the host NetBIOS name. This value is always 0.

String Block Length

uint32

Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string.

NetBIOS Name

string

Host NetBIOS name string.

String Block Type

uint32

Initiates a String data block for the client application version. This value is always 0.

String Block Length

uint32

Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version.

Client Application Version

string

Client application version.

Connection Statistics Data Block 5.1

The Connection Statistics data block is used in Connection Data messages. Changes to the Connection data block between 5.0.2 and 5.1 include the addition of new fields with configuration parameters introduced in 5.1 (rule action reason, monitor rules, Security Intelligence source/destination, Security Intelligence layer). The Connection Statistics data block for version 5.1 has a block type of 126.

Connection Statistics Data Block 5.2.x

The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1.1 and 5.2 include the addition of new fields to support geolocation. The connection statistics data block for version 5.2.x has a block type of 144 in the series 1 group of blocks. It deprecates block type 137, Connection Statistics Data Block 5.1.1.x.

Value used to distinguish between file events that happen during the same second.

Intrusion Event Count

uint16

Value used to distinguish between intrusion events that happen during the same second.

Initiator Country

uint16

Code for the country of the initiating host.

Responder Country

uint16

Code for the country of the responding host.

Connection Chunk Data Block for 5.0 - 5.1

The Connection Chunk data block conveys connection data detected by a NetFlow device. The Connection Chunk data block has a block type of 66 for pre-4.10.1 versions. For versions 5.0 - 5.1, it has a block type of 119.

The following diagram shows the format of the Connection Chunk data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

Connection Chunk Block Type (66 | 119)

Connection Chunk Block Length

Initiator IP Address

Responder IP Address

Start Time

Application ID

Responder Port

Protocol

Connection Type

NetFlow Detector IP Address

Packets Sent

Packets Received

Bytes Sent

Bytes Received

Connections

The following table describes the components of the Connection Chunk data block:

Table B-22 Connection Chunk Data Block Fields

Field

Data Type

Description

Connection Chunk Block Type

uint32

Initiates a Connection Chunk data block. This value is 66 for versions before 4.10.1 and a value of 119 for version 5.0.

Connection Chunk Block Length

uint32

Total number of bytes in the Connection Chunk data block, including eight bytes for the connection chunk block type and length fields, plus the number of bytes in the connection chunk data that follows.

Initiator IP Address

uint8[4]

IP address of the host that initiated the connection, in IP address octets.

Responder IP Address

uint8[4]

IP address of the host that responded to the initiating host, in IP address octets.

Start Time

uint32

The starting time for the connection chunk.

Application ID

uint32

Application identification number for the application protocol used in the connection.

Responder Port

uint16

The port used by the responder in the connection chunk.

Protocol

uint8

The protocol for the packet containing the user information.

Connection Type

uint8

The type of connection.

Source Device IP Address

uint8[4]

IP address of the NetFlow device that detected the connection, in IP address octets.

Packets Sent

uint32

The number of packets sent in the connection chunk.

Packets Received

uint32

The number of packets received in the connection chunk.

Bytes Sent

uint32

The number of bytes sent in the connection chunk.

Bytes Received

uint32

The number of bytes received in the connection chunk.

Connections

uint32

The number of connections made in the connection chunk.

Connection Statistics Data Block 5.1.1.x

The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.1 and 5.1.1 include the addition of new fields to identify associated intrusion events. The connection statistics data block for version 5.1.1.x has a block type of 137. It deprecates block type 126, Connection Statistics Data Block 5.1.

Value used to distinguish between file events that happen during the same second.

Intrusion Event Count

uint16

Value used to distinguish between intrusion events that happen during the same second.

Connection Statistics Data Block 5.3

The connection statistics data block is used in connection data messages. Changes to the connection data block between versions 5.2.x and 5.3 include the addition of new fields for NetFlow information. The connection statistics data block for version 5.3 has a block type of 152 in the series 1 group of blocks. It deprecates block type 144, Connection Statistics Data Block 5.2.x.

You request connection event records by setting the extended event flag—bit 30 in the Request Flags field—in the request message with an event version of 10 and an event code of 71. See Request Flags. If you enable bit 23, an extended event header is included in the record.

Legacy File Event Data Structures

File Event for 5.1.1.x

The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 23 in the series 2 group of blocks.

The following graphic shows the structure of the File Event data block.:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

File Event Block Type (23)

File Event Block Length

Device ID

Connection Instance

Connection Counter

Connection Timestamp

File Event Timestamp

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Disposition

Action

SHA Hash

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

File Type ID

File Name

File Type ID, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

File Name...

File Size

File Size, continued

Direction

Application ID

App ID, cont.

User ID

URI

User ID, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

URI...

Signature

String Block Type (0)

String Block Length

Signature...

Source Port

Destination Port

Protocol

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

AC Pol UUID, cont.

The following table describes the fields in the file event data block:

Table B-25 File Event Data Block Fields

Field

Data Type

Description

File Event Block Type

uint32

Initiates whether file event data block. This value is always 23.

File Event Block Length

uint32

Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the associated connection event.

File Event Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated.

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Disposition

uint8

The malware status of the file. Possible values include:

1 - CLEAN - The file is clean and does not contain malware.

2 - UNKNOWN - It is unknown whether the file contains malware.

3 - MALWARE - The file contains malware.

4 - CACHE_MISS - The software was unable to send a request to the Cisco cloud for a disposition.

5 - NO_CLOUD_RESP - The Cisco cloud services did not respond to the request.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

1 - Detect

2 - Block

3 - Malware Cloud Lookup

4 - Malware Block

5 - Malware Whitelist

SHA Hash

uint8[32]

SHA-256 hash of the file, in binary format.

File Type ID

uint32

ID number that maps to the file type.

File Name

string

Name of the file.

File Size

uint64

Size of the file in bytes.

Direction

uint8

Value that indicates whether the file was uploaded or downloaded. Can have the following values:

1 - Download

2 - Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

ID number for the user logged into the destination host, as identified by the system.

URI

string

Uniform Resource Identifier (URI) of the connection.

Signature

string

SHA-256 hash of the file, in string format.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Protocol

uint8

IANA protocol number specified by the user. For example:

1 - ICMP

4 - IP

6 - TCP

17 - UDP

This is currently only TCP.

Access Control Policy UUID

uint8[16]

Unique identifier for the access control policy that triggered the event.

File Event for 5.2.x

The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 32 in the series 2 group of blocks. It supersedes block type 23. New fields have been added to track source and destination country, as well as the client and web application instances.

The following graphic shows the structure of the File Event data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

File Event Block Type (32)

File Event Block Length

Device ID

Connection Instance

Connection Counter

Connection Timestamp

File Event Timestamp

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Disposition

Action

SHA Hash

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

File Type ID

File Name

File Type ID, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

File Name...

File Size

File Size, continued

Direction

Application ID

App ID, cont.

User ID

URI

User ID, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

URI...

Signature

String Block Type (0)

String Block Length

Signature...

Source Port

Destination Port

Protocol

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

AC Pol UUID, cont.

Source Country

Dst. Country

Dst. Country, cont.

Web Application ID

Web App. ID, cont.

Client Application ID

Client App. ID, cont.

The following table describes the fields in the file event data block:

Table B-26 File Event Data Block Fields

Field

Data Type

Description

File Event Block Type

uint32

Initiates whether file event data block. This value is always 23.

File Event Block Length

uint32

Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the associated connection event.

File Event Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated.

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Disposition

uint8

The malware status of the file. Possible values include:

1 - CLEAN - The file is clean and does not contain malware.

2 - NEUTRAL - It is unknown whether the file contains malware.

3 - MALWARE - The file contains malware.

4 - CACHE_MISS - The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

1 - Detect

2 - Block

3 - Malware Cloud Lookup

4 - Malware Block

5 - Malware Whitelist

SHA Hash

uint8[32]

SHA-256 hash of the file, in binary format.

File Type ID

uint32

ID number that maps to the file type.

File Name

string

Name of the file.

File Size

uint64

Size of the file in bytes.

Direction

uint8

Value that indicates whether the file was uploaded or downloaded. Can have the following values:

1 - Download

2 - Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

ID number for the user logged into the destination host, as identified by the system.

URI

string

Uniform Resource Identifier (URI) of the connection.

Signature

string

SHA-256 hash of the file, in string format.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Protocol

uint8

IANA protocol number specified by the user. For example:

1 - ICMP

4 - IP

6 - TCP

17 - UDP

This is currently only TCP.

Access Control Policy UUID

uint8[16]

Unique identifier for the access control policy that triggered the event.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

File Event for 5.3

The file event contains information on files that are sent over the network. This includes the connection information, whether the file is malware, and specific information to identify the file. The file event has a block type of 38 in the series 2 group of blocks. It supersedes block type 32. New fields have been added to track dynamic file analysis and file storage.

You request file event records by setting the file event flag—bit 30 in the Request Flags field—in the request message with an event version of 3 and an event code of 111. See Request Flags. If you enable bit 23, an extended event header is included in the record.

The following graphic shows the structure of the File Event data block.

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

File Event Block Type (38)

File Event Block Length

Device ID

Connection Instance

Connection Counter

Connection Timestamp

File Event Timestamp

Source IP Address

Source IP Address, continued

Source IP Address, continued

Source IP Address, continued

Destination IP Address

Destination IP Address, continued

Destination IP Address, continued

Destination IP Address, continued

Disposition

SPERO Disposition

File Storage Status

File Analysis Status

Archive File Status

Threat Score

Action

SHA Hash

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

File Type ID

File Name

File Type ID, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

File Name...

File Size

File Size, continued

Direction

Application ID

App ID, cont.

User ID

URI

User ID, cont.

String Block Type (0)

String Block Type (0), cont.

String Block Length

String Block Length, cont.

URI...

Signature

String Block Type (0)

String Block Length

Signature...

Source Port

Destination Port

Protocol

Access Control Policy UUID

Access Control Policy UUID, continued

Access Control Policy UUID, continued

Access Control Policy UUID, continued

AC Pol UUID, cont.

Source Country

Dst. Country

Dst. Country, cont.

Web Application ID

Web App. ID, cont.

Client Application ID

Client App. ID, cont.

The following table describes the fields in the file event data block.

Table B-27 File Event Data Block Fields

Field

Data Type

Description

File Event Block Type

uint32

Initiates whether file event data block. This value is always 23.

File Event Block Length

uint32

Total number of bytes in the file event block, including eight bytes for the file event block type and length fields, plus the number of bytes of data that follows.

Device ID

uint32

ID for the device that generated the event.

Connection Instance

uint16

Snort instance on the device that generated the event. Used to link the event with a connection or intrusion event.

Connection Counter

uint16

Value used to distinguish between connection events that happen during the same second.

Connection Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of the associated connection event.

File Event Timestamp

uint32

UNIX timestamp (seconds since 01/01/1970) of when the file type is identified and the file event generated.

Source IP Address

uint8[16]

IPv4 or IPv6 address for the source of the connection.

Destination IP Address

uint8[16]

IPv4 or IPv6 address for the destination of the connection.

Disposition

uint8

The malware status of the file. Possible values include:

1 - CLEAN The file is clean and does not contain malware.

2 - UNKNOWN It is unknown whether the file contains malware.

3 - MALWARE The file contains malware.

4 - UNAVAILABLE The software was unable to send a request to the Cisco cloud for a disposition, or the Cisco cloud services did not respond to the request.

5 - CUSTOM SIGNATURE The file matches a user-defined hash, and is treated in a fashion designated by the user.

SPERO Disposition

uint8

Indicates whether the SPERO signature was used in file analysis. If the value is 1, 2, or 3, SPERO analysis was used. If there is any other value SPERO analysis was not used.

File Storage Status

uint8

The storage status of the file. Possible values are:

1 - File Stored

2 - File Stored

3 - Unable to Store File

4 - Unable to Store File

5 - Unable to Store File

6 - Unable to Store File

7 - Unable to Store File

8 - File Size is Too Large

9 - File Size is Too Small

10 - Unable to Store File

11 - File Not Stored, Disposition Unavailable

File Analysis Status

uint8

Indicates whether the file was sent for dynamic analysis. Possible values are:

1 - Sent for Analysis

2 - Sent for Analysis

4 - Sent for Analysis

5 - Failed to Send

6 - Failed to Send

7 - Failed to Send

8 - Failed to Send

9 - File Size is Too Small

10 - File Size is Too Large

11 - Sent for Analysis

12 - Analysis Complete

13 - Failure (Network Issue)

14 - Failure (Rate Limit)

15 - Failure (File Too Large)

16 - Failure (File Read Error)

17 - Failure (Internal Library Error)

19 - File Not Sent, Disposition Unavailable

20 - Failure (Cannot Run File)

21 - Failure (Analysis Timeout)

22 - Sent for Analysis

23 - File Not Supported

Archive File Status

uint8

This is always 0.

Threat Score

uint8

A numeric value from 0 to 100 based on the potentially malicious behaviors observed during dynamic analysis.

Action

uint8

The action taken on the file based on the file type. Can have the following values:

1 - Detect

2 - Block

3 - Malware Cloud Lookup

4 - Malware Block

5 - Malware Whitelist

SHA Hash

uint8[32]

SHA-256 hash of the file, in binary format.

File Type ID

uint32

ID number that maps to the file type. The meaning of this field is transmitted in the metadata with this event. See FireAMP File Type Metadata for more information.

File Name

string

Name of the file.

File Size

uint64

Size of the file in bytes.

Direction

uint8

Value that indicates whether the file was uploaded or downloaded. Can have the following values:

1 - Download

2 - Upload

Currently the value depends on the protocol (for example, if the connection is HTTP it is a download).

Application ID

uint32

ID number that maps to the application using the file transfer.

User ID

uint32

ID number for the user logged into the destination host, as identified by the system.

URI

string

Uniform Resource Identifier (URI) of the connection.

Signature

string

SHA-256 hash of the file, in string format.

Source Port

uint16

Port number for the source of the connection.

Destination Port

uint16

Port number for the destination of the connection.

Protocol

uint8

IANA protocol number specified by the user. For example:

1 - ICMP

4 - IP

6 - TCP

17 - UDP

This is currently only TCP.

Access Control Policy UUID

uint8[16]

Unique identifier for the access control policy that triggered the event.

Source Country

uint16

Code for the country of the source host.

Destination Country

uint16

Code for the country of the destination host.

Web Application ID

uint32

The internal identification number for the web application, if applicable.

Client Application ID

uint32

The internal identification number for the client application, if applicable.

File Event SHA Hash for 5.1.1-5.2.x

The eStreamer service uses the File Event SHA Hash data block to contain metadata of the mapping of the SHA hash of a file to its filename. The block type is 26 in the series 2 list of data blocks. It can be requested if file log events have been requested in the extended requests—event code 111—and either bit 20 is set or metadata is requested with an event version of 4 and an event code of 21.

The following diagram shows the structure of a file event hash data block:

Byte

0

1

2

3

Bit

0

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

File Event SHA Hash Block Type (26)

File Event SHA Hash Block Length

SHA Hash

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

SHA Hash, continued

File Name

String Block Type (0)

String Block Length

File Name or Disposition...

The following table describes the fields in the file event SHA hash data block.

Table B-28 File Event SHA Hash 5.1.1-5.2.x Data Block Fields

Field

Data Type

Description

File Event SHA Hash Block Type

uint32

Initiates a File Event SHA Hash block. This value is always 26.

File Event SHA Hash Block Length

uint32

Total number of bytes in the File Event SHA Hash block, including eight bytes for the File Event SHA Hash block type and length fields, plus the number of bytes of data that follows.

SHA Hash

uint8[32]

The SHA-256 hash of the file in binary format.

String Block Type

uint32

Initiates a String data block containing the descriptive name associated with the file. This value is always 0.

String Block Length

uint32

The number of bytes included in the name String data block, including eight bytes for the block type and header fields plus the number of bytes in the Name field.

File Name or Disposition

string

The descriptive name or disposition of the file. If the file is clean, this value is Clean. If the file’s disposition is unknown, the value is Neutral. If the file contains malware, the file name is given.

Legacy Correlation Event Data Structures

The following topic describes other legacy correlation (compliance) data structures:

Correlation Event for 5.0 - 5.0.2

Correlation events (called compliance events in pre-5.0 versions) contain information about correlation policy violations. This message uses the standard eStreamer message header and specifies a record type of 112, followed by a correlation data block of type 116. Data block type 116 differs from its predecessor (block type 107) in including additional information about the associated security zone and interface.

You can request 5.0 correlation events from eStreamer only by extended request, for which you request event type code 31 and version code 7 in the Stream Request message (see Submitting Extended Requests for information about submitting extended requests). You can optionally enable bit 23 in the flags field of the initial event stream request message, to include the extended event header. You can also enable bit 20 in the flags field to include user metadata.

Length of the correlation data block, which includes 8 bytes for the correlation block type and length plus the correlation data that follows.

Device ID

uint32

Internal identification number of the managed device or Defense Center that generated the correlation event. A value of zero indicates the Defense Center. You can obtain managed device names by requesting Version 3 metadata. See Managed Device Record Metadata for more information.

(Correlation) Event Second

uint32

UNIX timestamp indicating the time that the correlation event was generated (in seconds from 01/01/1970).

Event ID

uint32

Correlation event identification number.

Policy ID

uint32

Identification number of the correlation policy that was violated. See Server Record for information about how to obtain policy identification numbers from the database.

Rule ID

uint32

Identification number of the correlation rule that triggered to violate the policy. See Server Record for information about how to obtain policy identification numbers from the database.

Priority

uint32

Priority assigned to the event. This is an integer value from 0 to 5.

String Block Type

uint32

Initiates a string data block that contains the correlation violation event description. This value is always set to 0. For more information about string blocks, see String Data Block.

String Block Length

uint32

Number of bytes in the event description string block, which includes four bytes for the string block type and four bytes for the string block length, plus the number of bytes in the description.

Description

string

Description of the correlation event.

Event Type

uint8

Indicates whether the correlation event was triggered by an intrusion, host discovery, or user event:

1 - intrusion

2 - host discovery

3 - user

Event Device ID

uint32

Identification number of the device that generated the event that triggered the correlation event. You can obtain device name by requesting Version 3 metadata. See Managed Device Record Metadata for more information.

Signature ID

uint32

If the event was an intrusion event, indicates the rule identification number that corresponds with the event. Otherwise, the value is 0.

Signature Generator ID

uint32

If the event was an intrusion event, indicates the ID number of the FireSIGHT System preprocessor or rules engine that generated the event.

(Trigger) Event Second

uint32

UNIX timestamp indicating the time of the event that triggered the correlation policy rule (in seconds from 01/01/1970).

(Trigger) Event Microsecond

uint32

Microsecond (one millionth of a second) increment that the event was detected.

Event ID

uint32

Identification number of the event generated by the device.

Event Defined Mask

bits[32]

Set bits in this field indicate which of the fields that follow in the message are valid. See Table B-30 for a list of each bit value.

0x01 (bit 0) - Source or destination host is in a network monitored by the system.

0x02 (bit 1) - Source or destination host exists in the network map.

0x04 (bit 2) - Source or destination host is running a server on the port in the event (if TCP or UDP) or uses the IP protocol.

0x08 (bit 3) - There is a vulnerability mapped to the operating system of the source or destination host in the event.

0x10 (bit 4) - There is a vulnerability mapped to the server detected in the event.

0x20 (bit 5) - The event caused the managed device to drop the session (used only when the device is running in inline, switched, or routed deployment). Corresponds to blocked status in the FireSIGHT System web interface.

0x40 (bit 6) - The rule that generated this event contains rule metadata setting the impact flag to red (bit 6). The source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.

0x80 (bit 7) - There is a vulnerability mapped to the client detected in the event.

The following impact level values map to specific priorities on the Defense Center. An X indicates the value can be 0 or 1:

gray (0, unknown): 00X00000

red (1, vulnerable): XXXX1XXX, XXX1XXXX, X1XXXXXX, 1XXXXXXX

orange (2, potentially vulnerable): 00X00111

yellow (3, currently not vulnerable): 00X00011

blue (4, unknown target): 00X00001

IP Protocol

uint8

Identifier of the IP protocol associated with the event, if applicable.

Network Protocol

uint16

Network protocol associated with the event, if applicable.

Source IP

uint8[4]

IP address of the source host in the event, in IP address octets.

Source Host Type

uint8

Source host’s type:

0 - Host

1 - Router

2 - Bridge

Source VLAN ID

uint16

Source host’s VLAN identification number, if applicable.

Source OS Fingerprint UUID

uint8[16]

A fingerprint ID number that acts a unique identifier for the source host’s operating system.

See Server Record for information about obtaining the values that map to the fingerprint IDs.

Source Criticality

uint16

User-defined criticality value for the source host:

0 - None

1 - Low

2 - Medium

3 - High

Source User ID

uint32

Identification number for the user logged into the source host, as identified by the system.

Source Port

uint16

Source port in the event.

Source Server ID

uint32

Identification number for the server running on the source host.

Destination IP Address

uint8[4]

IP address of the destination host associated with the policy violation (if applicable). This value will be 0 if there is no destination IP address.

Destination Host Type

uint8

Destination host’s type:

0 - Host

1 - Router

2 - Bridge

Destination VLAN ID

uint16

Destination host’s VLAN identification number, if applicable.

Destination OS Fingerprint UUID

uint8[16]

A fingerprint ID number that acts as a unique identifier for the destination host’s operating system.

See Server Record for information about obtaining the values that map to the fingerprint IDs.

Destination Criticality

uint16

User-defined criticality value for the destination host:

0 - None

1 - Low

2 - Medium

3 - High

Destination User ID

uint32

Identification number for the user logged into the destination host, as identified by the system.

Destination Port

uint16

Destination port in the event.

Destination Service ID

uint32

Identification number for the server running on the source host.

Blocked

uint8

Value indicating what happened to the packet that triggered the intrusion event.

2 - The packet that triggered the event would have been dropped, if the intrusion policy had been applied to a device in inline, switched, or routed deployment.

Ingress Interface UUID

uint8[16]

An interface ID that acts as the unique identifier for the ingress interface associated with correlation event.

Egress Interface UUID

uint8[16]

An interface ID that acts as the unique identifier for the egress interface associated with correlation event.

Ingress Zone UUID

uint8[16]

A zone ID that acts as the unique identifier for the ingress security zone associated with correlation event.

Egress Zone UUID

uint8[16]

A zone ID that acts as the unique identifier for the egress security zone associated with correlation event.

The following table describes each Event Defined Mask value.

Table B-30 Event Defined Values

Description

Mask Value

Event Impact Flags

0x00000001

IP Protocol

0x00000002

Network Protocol

0x00000004

Source IP

0x00000008

Source Host Type

0x00000010

Source VLAN ID

0x00000020

Source Fingerprint ID

0x00000040

Source Criticality

0x00000080

Source Port

0x00000100

Source Server

0x00000200

Destination IP

0x00000400

Destination Host Type

0x00000800

Destination VLAN ID

0x00001000

Destination Fingerprint ID

0x00002000

Destination Criticality

0x00004000

Destination Port

0x00008000

Destination Server

0x00010000

Source User

0x00020000

Destination User

0x00040000

Legacy Host Data Structures

To request these structures, you must use a Host Request Message. To request a legacy structure, the Host Request Message must use an older format. See Host Request Message Format for more information.

The following topics describe legacy host data structures, including both host profile and full host profile structures:

Full Host Profile Data Block 5.0 - 5.0.2

The Full Host Profile data block for version 5.0 - 5.0.2 contains a full set of data describing one host. It has the format shown in the graphic below and explained in the following table. Note that, except for List data blocks, the graphic does not show the fields of the encapsulated data blocks. These encapsulated data blocks are described separately in Understanding Discovery & Connection Data Structures. The Full Host Profile data block a block type value of 111.

Note An asterisk(*) next to a block name in the following diagram indicates that multiple instances of the data block may occur.